The purpose of this document is to provide Outpost24 recommendations on scanning Supervisory Control and Data Acquisition (SCADA) systems and Industrial Control Systems (ICS).
Supervisory Control and Data Acquisition (SCADA) systems and Industrial Control Systems (ICS) are an integral part of the industrial environment and the Critical National Infrastructure (CNI). SCADA and ICS networks has up to now been separated from the corporate networks or intranet. As internet technologies are becoming more integrated into everyday society, and corporations is growing exponentially and going global, the remote auditing and control of industrial systems has increased. This has resulted in the merging of Internet Protocol (IP) and SCADA/ICS technologies, which has exposed the older field devices to a new set of attack vectors, leading to unprecedented vulnerabilities when integrated with IP.
In an age where cyber threats are ever evolving, the tools used to perform security audits and penetration tests against IP systems are subsequently being used on the older SCADA/ICS networks. These tools, without the correct configuration, could cause substantial damage to the SCADA devices connected to a business’s infrastructure, rather than helping to protect and audit them.
Scanning SCADA devices results in a HIGH risk of disruption the behavior of these devices and is done at your own risk.
Outpost24 does NOT support scanning SCADA devices as the risks associated with this far outweighs the convenience of running an automated scan.
Always check with the vendor of the device if this is supported before proceed with such activities.
Is it Recommended to Scan SCADA Devices?
On scanning SCADA devices, we strongly advise against it. The chance of disruption to business environments is likely so before procedure take pre-cautions.
Please contact your vendor and ask if they are aware of known issues that might exist using vulnerability management solutions in conjunction with SCADA devices.
If there is a decision still go through with scanning a SCADA network, make sure to take all necessary pre-cautions to minimize any disruption.
- It is recommended that any testing of SCADA devices is done through a Professional Services team.
- Prepare for a worst case scenario just in case.
- Limit scanning to only the controllers, not the SCADA systems themselves as they tend to break even from the simplest of portscan. The controllers (mostly windows machines) is not a problem and the advice is to place this kind of equipment in a isolated network to minimize the exposure as much as possible.
- If the equipment is affected by a VM scan that means it is vulnerable and need to be secured.
Securing SCADA Systems
Since scanning for vulnerabilities on SCADA systems is ill-advised, other steps need to be performed to secure the SCADA devices from being exploited.
- Defense in depth: Secure the business network!
- Install or upgrade to secure versions of common SCADA protocols.
- Ensure SCADA hardware is physically secure. For example, utility providers should ensure that substation facilities are locked.
- To the maximum extent practical, corporations should not post job listings the reference specific automation hardware and software.
- Do not permit portable devices to connect to the network purely for convenience. (There are cases where damages has been done on air gappet facilities through USB drives.)
© 2022 Outpost24® All rights reserved. This document may only be redistributed unedited and unaltered. This document may be cited and referenced only if clearly crediting Outpost24® and this document as the source. Any other reproduction and redistribution in print or electronically is strictly prohibited without explicit permission.
Outpost24® and OUTSCAN™ are trademarks of Outpost24® in Sweden and other countries.